The purpose of GDPR is to offer European citizens and residents protection over their personal data and requires companies to be upfront about the personal data they collect. Companies have to explain how they collect personal data, prove it’s handled safely, and clearly explain your data in language that’s easy to understand.
That means no confusing Legalese. It also requires companies to honor data deletion requests, "the right to be forgotten" and the "right to data portability” which compels companies to offer individuals a copy of their data in a common format, within 30 days and without charging them a fee.
Another Consumer Protection is the Mandatory Breach Notification. A data breach must be reported to customers within 72 hours of discovery.
GDPR also requires companies that collect large amounts of user data to hire a Data Protection Officer in addition to any current IT or data security personnel. This is the point person for compliance and liability.